b69905a308b81eb1507cad4bd030e9cf6b5351149cba92e2dfec54cd32adad62

Analysis

max time kernel
119s
max time network
117s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
29/08/2024, 03:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f3c4e4b5a2767ab17016d6ea99fac10N.exe
Size

91KB
MD5

7f3c4e4b5a2767ab17016d6ea99fac10
SHA1

11792ae4e8923f06cedd54ec329f6761bf068bd6
SHA256

b69905a308b81eb1507cad4bd030e9cf6b5351149cba92e2dfec54cd32adad62
SHA512

74de4250f828f74ccd29cf5cc6d465d55488c9e94d2d0b1d40ead5ed29f167ebb9a259d392451e8e80cbbf5c133091f91ff3c3eecaa7397ba4b9d2b2d6b6d44c
SSDEEP

768:5vw9816uhKirosL4/wQNNrfrunMxVFA3b7t:lEGkmosLlCunMxVS3Ht

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{514CD281-A768-44ff-BC6F-D77AADF6ABC7}\stubpath = "C:\\Windows\\{514CD281-A768-44ff-BC6F-D77AADF6ABC7}.exe"	7f3c4e4b5a2767ab17016d6ea99fac10N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22204D10-26B5-4682-AFDB-C5FE45578BDF}	{514CD281-A768-44ff-BC6F-D77AADF6ABC7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F76C7E82-8717-4ca9-BD73-EFD0A49301D7}\stubpath = "C:\\Windows\\{F76C7E82-8717-4ca9-BD73-EFD0A49301D7}.exe"	{65E55195-C372-4be9-866F-9B6C5115C0BA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE11C4D4-4088-482f-AA2A-5225EF028F97}	{F76C7E82-8717-4ca9-BD73-EFD0A49301D7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{514CD281-A768-44ff-BC6F-D77AADF6ABC7}	7f3c4e4b5a2767ab17016d6ea99fac10N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2D4F104-5214-4c43-A215-14639F44E5B8}	{687EBB2B-6017-4481-A6F2-ED877FC7B258}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2D4F104-5214-4c43-A215-14639F44E5B8}\stubpath = "C:\\Windows\\{C2D4F104-5214-4c43-A215-14639F44E5B8}.exe"	{687EBB2B-6017-4481-A6F2-ED877FC7B258}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{687EBB2B-6017-4481-A6F2-ED877FC7B258}	{AE11C4D4-4088-482f-AA2A-5225EF028F97}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22204D10-26B5-4682-AFDB-C5FE45578BDF}\stubpath = "C:\\Windows\\{22204D10-26B5-4682-AFDB-C5FE45578BDF}.exe"	{514CD281-A768-44ff-BC6F-D77AADF6ABC7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E0EBA6D5-C98C-4653-A8D3-C20F02660FEC}	{22204D10-26B5-4682-AFDB-C5FE45578BDF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65E55195-C372-4be9-866F-9B6C5115C0BA}\stubpath = "C:\\Windows\\{65E55195-C372-4be9-866F-9B6C5115C0BA}.exe"	{E0EBA6D5-C98C-4653-A8D3-C20F02660FEC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F76C7E82-8717-4ca9-BD73-EFD0A49301D7}	{65E55195-C372-4be9-866F-9B6C5115C0BA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AC0CDCAD-1418-4e36-94ED-E3923083A195}	{C2D4F104-5214-4c43-A215-14639F44E5B8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AC0CDCAD-1418-4e36-94ED-E3923083A195}\stubpath = "C:\\Windows\\{AC0CDCAD-1418-4e36-94ED-E3923083A195}.exe"	{C2D4F104-5214-4c43-A215-14639F44E5B8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E0EBA6D5-C98C-4653-A8D3-C20F02660FEC}\stubpath = "C:\\Windows\\{E0EBA6D5-C98C-4653-A8D3-C20F02660FEC}.exe"	{22204D10-26B5-4682-AFDB-C5FE45578BDF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65E55195-C372-4be9-866F-9B6C5115C0BA}	{E0EBA6D5-C98C-4653-A8D3-C20F02660FEC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE11C4D4-4088-482f-AA2A-5225EF028F97}\stubpath = "C:\\Windows\\{AE11C4D4-4088-482f-AA2A-5225EF028F97}.exe"	{F76C7E82-8717-4ca9-BD73-EFD0A49301D7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{687EBB2B-6017-4481-A6F2-ED877FC7B258}\stubpath = "C:\\Windows\\{687EBB2B-6017-4481-A6F2-ED877FC7B258}.exe"	{AE11C4D4-4088-482f-AA2A-5225EF028F97}.exe

Deletes itself 1 IoCs

pid	Process
2704	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
2752	{514CD281-A768-44ff-BC6F-D77AADF6ABC7}.exe
2568	{22204D10-26B5-4682-AFDB-C5FE45578BDF}.exe
2608	{E0EBA6D5-C98C-4653-A8D3-C20F02660FEC}.exe
2412	{65E55195-C372-4be9-866F-9B6C5115C0BA}.exe
2376	{F76C7E82-8717-4ca9-BD73-EFD0A49301D7}.exe
2960	{AE11C4D4-4088-482f-AA2A-5225EF028F97}.exe
2640	{687EBB2B-6017-4481-A6F2-ED877FC7B258}.exe
544	{C2D4F104-5214-4c43-A215-14639F44E5B8}.exe
1180	{AC0CDCAD-1418-4e36-94ED-E3923083A195}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{65E55195-C372-4be9-866F-9B6C5115C0BA}.exe	{E0EBA6D5-C98C-4653-A8D3-C20F02660FEC}.exe
File created	C:\Windows\{F76C7E82-8717-4ca9-BD73-EFD0A49301D7}.exe	{65E55195-C372-4be9-866F-9B6C5115C0BA}.exe
File created	C:\Windows\{C2D4F104-5214-4c43-A215-14639F44E5B8}.exe	{687EBB2B-6017-4481-A6F2-ED877FC7B258}.exe
File created	C:\Windows\{AC0CDCAD-1418-4e36-94ED-E3923083A195}.exe	{C2D4F104-5214-4c43-A215-14639F44E5B8}.exe
File created	C:\Windows\{22204D10-26B5-4682-AFDB-C5FE45578BDF}.exe	{514CD281-A768-44ff-BC6F-D77AADF6ABC7}.exe
File created	C:\Windows\{E0EBA6D5-C98C-4653-A8D3-C20F02660FEC}.exe	{22204D10-26B5-4682-AFDB-C5FE45578BDF}.exe
File created	C:\Windows\{687EBB2B-6017-4481-A6F2-ED877FC7B258}.exe	{AE11C4D4-4088-482f-AA2A-5225EF028F97}.exe
File created	C:\Windows\{514CD281-A768-44ff-BC6F-D77AADF6ABC7}.exe	7f3c4e4b5a2767ab17016d6ea99fac10N.exe
File created	C:\Windows\{AE11C4D4-4088-482f-AA2A-5225EF028F97}.exe	{F76C7E82-8717-4ca9-BD73-EFD0A49301D7}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{22204D10-26B5-4682-AFDB-C5FE45578BDF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F76C7E82-8717-4ca9-BD73-EFD0A49301D7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7f3c4e4b5a2767ab17016d6ea99fac10N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{687EBB2B-6017-4481-A6F2-ED877FC7B258}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AC0CDCAD-1418-4e36-94ED-E3923083A195}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{65E55195-C372-4be9-866F-9B6C5115C0BA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AE11C4D4-4088-482f-AA2A-5225EF028F97}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C2D4F104-5214-4c43-A215-14639F44E5B8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{514CD281-A768-44ff-BC6F-D77AADF6ABC7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E0EBA6D5-C98C-4653-A8D3-C20F02660FEC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1596	7f3c4e4b5a2767ab17016d6ea99fac10N.exe
Token: SeIncBasePriorityPrivilege	2752	{514CD281-A768-44ff-BC6F-D77AADF6ABC7}.exe
Token: SeIncBasePriorityPrivilege	2568	{22204D10-26B5-4682-AFDB-C5FE45578BDF}.exe
Token: SeIncBasePriorityPrivilege	2608	{E0EBA6D5-C98C-4653-A8D3-C20F02660FEC}.exe
Token: SeIncBasePriorityPrivilege	2412	{65E55195-C372-4be9-866F-9B6C5115C0BA}.exe
Token: SeIncBasePriorityPrivilege	2376	{F76C7E82-8717-4ca9-BD73-EFD0A49301D7}.exe
Token: SeIncBasePriorityPrivilege	2960	{AE11C4D4-4088-482f-AA2A-5225EF028F97}.exe
Token: SeIncBasePriorityPrivilege	2640	{687EBB2B-6017-4481-A6F2-ED877FC7B258}.exe
Token: SeIncBasePriorityPrivilege	544	{C2D4F104-5214-4c43-A215-14639F44E5B8}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1596 wrote to memory of 2752	1596	7f3c4e4b5a2767ab17016d6ea99fac10N.exe	31
PID 1596 wrote to memory of 2752	1596	7f3c4e4b5a2767ab17016d6ea99fac10N.exe	31
PID 1596 wrote to memory of 2752	1596	7f3c4e4b5a2767ab17016d6ea99fac10N.exe	31
PID 1596 wrote to memory of 2752	1596	7f3c4e4b5a2767ab17016d6ea99fac10N.exe	31
PID 1596 wrote to memory of 2704	1596	7f3c4e4b5a2767ab17016d6ea99fac10N.exe	32
PID 1596 wrote to memory of 2704	1596	7f3c4e4b5a2767ab17016d6ea99fac10N.exe	32
PID 1596 wrote to memory of 2704	1596	7f3c4e4b5a2767ab17016d6ea99fac10N.exe	32
PID 1596 wrote to memory of 2704	1596	7f3c4e4b5a2767ab17016d6ea99fac10N.exe	32
PID 2752 wrote to memory of 2568	2752	{514CD281-A768-44ff-BC6F-D77AADF6ABC7}.exe	33
PID 2752 wrote to memory of 2568	2752	{514CD281-A768-44ff-BC6F-D77AADF6ABC7}.exe	33
PID 2752 wrote to memory of 2568	2752	{514CD281-A768-44ff-BC6F-D77AADF6ABC7}.exe	33
PID 2752 wrote to memory of 2568	2752	{514CD281-A768-44ff-BC6F-D77AADF6ABC7}.exe	33
PID 2752 wrote to memory of 2712	2752	{514CD281-A768-44ff-BC6F-D77AADF6ABC7}.exe	34
PID 2752 wrote to memory of 2712	2752	{514CD281-A768-44ff-BC6F-D77AADF6ABC7}.exe	34
PID 2752 wrote to memory of 2712	2752	{514CD281-A768-44ff-BC6F-D77AADF6ABC7}.exe	34
PID 2752 wrote to memory of 2712	2752	{514CD281-A768-44ff-BC6F-D77AADF6ABC7}.exe	34
PID 2568 wrote to memory of 2608	2568	{22204D10-26B5-4682-AFDB-C5FE45578BDF}.exe	35
PID 2568 wrote to memory of 2608	2568	{22204D10-26B5-4682-AFDB-C5FE45578BDF}.exe	35
PID 2568 wrote to memory of 2608	2568	{22204D10-26B5-4682-AFDB-C5FE45578BDF}.exe	35
PID 2568 wrote to memory of 2608	2568	{22204D10-26B5-4682-AFDB-C5FE45578BDF}.exe	35
PID 2568 wrote to memory of 2084	2568	{22204D10-26B5-4682-AFDB-C5FE45578BDF}.exe	36
PID 2568 wrote to memory of 2084	2568	{22204D10-26B5-4682-AFDB-C5FE45578BDF}.exe	36
PID 2568 wrote to memory of 2084	2568	{22204D10-26B5-4682-AFDB-C5FE45578BDF}.exe	36
PID 2568 wrote to memory of 2084	2568	{22204D10-26B5-4682-AFDB-C5FE45578BDF}.exe	36
PID 2608 wrote to memory of 2412	2608	{E0EBA6D5-C98C-4653-A8D3-C20F02660FEC}.exe	37
PID 2608 wrote to memory of 2412	2608	{E0EBA6D5-C98C-4653-A8D3-C20F02660FEC}.exe	37
PID 2608 wrote to memory of 2412	2608	{E0EBA6D5-C98C-4653-A8D3-C20F02660FEC}.exe	37
PID 2608 wrote to memory of 2412	2608	{E0EBA6D5-C98C-4653-A8D3-C20F02660FEC}.exe	37
PID 2608 wrote to memory of 2420	2608	{E0EBA6D5-C98C-4653-A8D3-C20F02660FEC}.exe	38
PID 2608 wrote to memory of 2420	2608	{E0EBA6D5-C98C-4653-A8D3-C20F02660FEC}.exe	38
PID 2608 wrote to memory of 2420	2608	{E0EBA6D5-C98C-4653-A8D3-C20F02660FEC}.exe	38
PID 2608 wrote to memory of 2420	2608	{E0EBA6D5-C98C-4653-A8D3-C20F02660FEC}.exe	38
PID 2412 wrote to memory of 2376	2412	{65E55195-C372-4be9-866F-9B6C5115C0BA}.exe	39
PID 2412 wrote to memory of 2376	2412	{65E55195-C372-4be9-866F-9B6C5115C0BA}.exe	39
PID 2412 wrote to memory of 2376	2412	{65E55195-C372-4be9-866F-9B6C5115C0BA}.exe	39
PID 2412 wrote to memory of 2376	2412	{65E55195-C372-4be9-866F-9B6C5115C0BA}.exe	39
PID 2412 wrote to memory of 2644	2412	{65E55195-C372-4be9-866F-9B6C5115C0BA}.exe	40
PID 2412 wrote to memory of 2644	2412	{65E55195-C372-4be9-866F-9B6C5115C0BA}.exe	40
PID 2412 wrote to memory of 2644	2412	{65E55195-C372-4be9-866F-9B6C5115C0BA}.exe	40
PID 2412 wrote to memory of 2644	2412	{65E55195-C372-4be9-866F-9B6C5115C0BA}.exe	40
PID 2376 wrote to memory of 2960	2376	{F76C7E82-8717-4ca9-BD73-EFD0A49301D7}.exe	41
PID 2376 wrote to memory of 2960	2376	{F76C7E82-8717-4ca9-BD73-EFD0A49301D7}.exe	41
PID 2376 wrote to memory of 2960	2376	{F76C7E82-8717-4ca9-BD73-EFD0A49301D7}.exe	41
PID 2376 wrote to memory of 2960	2376	{F76C7E82-8717-4ca9-BD73-EFD0A49301D7}.exe	41
PID 2376 wrote to memory of 1480	2376	{F76C7E82-8717-4ca9-BD73-EFD0A49301D7}.exe	42
PID 2376 wrote to memory of 1480	2376	{F76C7E82-8717-4ca9-BD73-EFD0A49301D7}.exe	42
PID 2376 wrote to memory of 1480	2376	{F76C7E82-8717-4ca9-BD73-EFD0A49301D7}.exe	42
PID 2376 wrote to memory of 1480	2376	{F76C7E82-8717-4ca9-BD73-EFD0A49301D7}.exe	42
PID 2960 wrote to memory of 2640	2960	{AE11C4D4-4088-482f-AA2A-5225EF028F97}.exe	43
PID 2960 wrote to memory of 2640	2960	{AE11C4D4-4088-482f-AA2A-5225EF028F97}.exe	43
PID 2960 wrote to memory of 2640	2960	{AE11C4D4-4088-482f-AA2A-5225EF028F97}.exe	43
PID 2960 wrote to memory of 2640	2960	{AE11C4D4-4088-482f-AA2A-5225EF028F97}.exe	43
PID 2960 wrote to memory of 2860	2960	{AE11C4D4-4088-482f-AA2A-5225EF028F97}.exe	44
PID 2960 wrote to memory of 2860	2960	{AE11C4D4-4088-482f-AA2A-5225EF028F97}.exe	44
PID 2960 wrote to memory of 2860	2960	{AE11C4D4-4088-482f-AA2A-5225EF028F97}.exe	44
PID 2960 wrote to memory of 2860	2960	{AE11C4D4-4088-482f-AA2A-5225EF028F97}.exe	44
PID 2640 wrote to memory of 544	2640	{687EBB2B-6017-4481-A6F2-ED877FC7B258}.exe	45
PID 2640 wrote to memory of 544	2640	{687EBB2B-6017-4481-A6F2-ED877FC7B258}.exe	45
PID 2640 wrote to memory of 544	2640	{687EBB2B-6017-4481-A6F2-ED877FC7B258}.exe	45
PID 2640 wrote to memory of 544	2640	{687EBB2B-6017-4481-A6F2-ED877FC7B258}.exe	45
PID 2640 wrote to memory of 1160	2640	{687EBB2B-6017-4481-A6F2-ED877FC7B258}.exe	46
PID 2640 wrote to memory of 1160	2640	{687EBB2B-6017-4481-A6F2-ED877FC7B258}.exe	46
PID 2640 wrote to memory of 1160	2640	{687EBB2B-6017-4481-A6F2-ED877FC7B258}.exe	46
PID 2640 wrote to memory of 1160	2640	{687EBB2B-6017-4481-A6F2-ED877FC7B258}.exe	46

C:\Users\Admin\AppData\Local\Temp\7f3c4e4b5a2767ab17016d6ea99fac10N.exe
"C:\Users\Admin\AppData\Local\Temp\7f3c4e4b5a2767ab17016d6ea99fac10N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1596
- C:\Windows\{514CD281-A768-44ff-BC6F-D77AADF6ABC7}.exe
  C:\Windows\{514CD281-A768-44ff-BC6F-D77AADF6ABC7}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Windows\{22204D10-26B5-4682-AFDB-C5FE45578BDF}.exe
    C:\Windows\{22204D10-26B5-4682-AFDB-C5FE45578BDF}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2568
  - - C:\Windows\{E0EBA6D5-C98C-4653-A8D3-C20F02660FEC}.exe
      C:\Windows\{E0EBA6D5-C98C-4653-A8D3-C20F02660FEC}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2608
    - - C:\Windows\{65E55195-C372-4be9-866F-9B6C5115C0BA}.exe
        
        C:\Windows\{65E55195-C372-4be9-866F-9B6C5115C0BA}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2412
      - C:\Windows\{F76C7E82-8717-4ca9-BD73-EFD0A49301D7}.exe
        
        C:\Windows\{F76C7E82-8717-4ca9-BD73-EFD0A49301D7}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\{AE11C4D4-4088-482f-AA2A-5225EF028F97}.exe
        
        C:\Windows\{AE11C4D4-4088-482f-AA2A-5225EF028F97}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\{687EBB2B-6017-4481-A6F2-ED877FC7B258}.exe
        
        C:\Windows\{687EBB2B-6017-4481-A6F2-ED877FC7B258}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        C:\Windows\{C2D4F104-5214-4c43-A215-14639F44E5B8}.exe
        
        C:\Windows\{C2D4F104-5214-4c43-A215-14639F44E5B8}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:544
        
        C:\Windows\{AC0CDCAD-1418-4e36-94ED-E3923083A195}.exe
        
        C:\Windows\{AC0CDCAD-1418-4e36-94ED-E3923083A195}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C2D4F~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{687EB~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AE11C~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F76C7~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1480
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{65E55~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2644
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E0EBA~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2420
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{22204~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2084
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{514CD~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2712
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\7F3C4E~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{22204D10-26B5-4682-AFDB-C5FE45578BDF}.exe

Filesize
91KB

MD5
3e629acc6c05087c62a72383cfec3774

SHA1
ad519ab5547982841703185aa09744c1b352b6b1

SHA256
015c551b24fbc21657643e729a1ab73d9f0510f49cc5fc35e27dde9bea136908

SHA512
acc81579f1b9a57ff01dcec0dfa21dc0a981258aae907ff5e9a1ef04bd6236bd5ad97cc97856cf8574f0dae94ced215be1c4d1e9d5a67bcda46997c4fb4c694e

Download Submit
C:\Windows\{514CD281-A768-44ff-BC6F-D77AADF6ABC7}.exe

Filesize
91KB

MD5
0f9dd62d57bc0b1cdf564eb109e91521

SHA1
ebc5e2d7ea9cde02bab7061a6048539d00a5376e

SHA256
3095acf295d0170df0885393c43aaadbe9b08dee8498f155478c0f9e468fb39a

SHA512
ea9c6696e1efd3acc44986d6fb5c13d840d9322eb15c0b29b724f7fe3b3136a3752578fa024b04fe271546536dae339bff2e5bcf1c8180ece4744689e871eb3c

Download Submit
C:\Windows\{65E55195-C372-4be9-866F-9B6C5115C0BA}.exe

Filesize
91KB

MD5
a78438f6ab526dbbc548cb340e17ad1b

SHA1
69d0b46afbcd533df7e63f8603945ebf76e9c6ce

SHA256
c0575d2782637c018f607df6bd4a0e9af4864f495e9c05d2e7cd5a322bfdbf1c

SHA512
a64e921ba5fcf29abace2fdb109c08c06886057bf65fa96b39bf1325479918d16f3320cedc9b37df0bec2dfbe1f3294aea9bc418e5935f8787c6b4f02c65351b

Download Submit
C:\Windows\{687EBB2B-6017-4481-A6F2-ED877FC7B258}.exe

Filesize
91KB

MD5
fd820b0ca99767d9ea8715161269bb51

SHA1
f6a173821004dff1abb091159a2b6d3ffb4160ce

SHA256
11fe2c66f279de7e82850a5fbf4ddeec73ca1f47c02716d0f8aa4c3da5492aaf

SHA512
3f381f8e280919992399af00840c1f1f2197eac8e4e5a8ebb2c4b7942c208752567105a9673e07030240bda2bf26cfc5dbb030dcfa3727fe9c4f1c9620a8cd00

Download Submit
C:\Windows\{AC0CDCAD-1418-4e36-94ED-E3923083A195}.exe

Filesize
91KB

MD5
88a697175a5c79e77c794d1d413712a7

SHA1
23312a8e7709394291ee35bde8a722ae33cb7da2

SHA256
fd813859902b12b68086fa9a49e9368bf950c9c8ce0ca3d88b656546b30dadeb

SHA512
8ea62b8062cd421c65d65620296d1e8c4e92c75a8391323617104725aa62722c7c5061b94080742281f36415effad39156cdf475682cb596bb2fb883832a63fb

Download Submit
C:\Windows\{AE11C4D4-4088-482f-AA2A-5225EF028F97}.exe

Filesize
91KB

MD5
5759bd6ddce1ccbf8b2198d81c3dab9d

SHA1
07349a9b6367ce0349a1d839d525d8db78fc6b29

SHA256
02b11a93cae131c993b326e853437105b8adc1f645cc6466df01042470d47ffc

SHA512
3f738ed76cb056c46a4802eba3c7bdbfc9c26a6b71db30d87642a049a4411b671b2c755b2cdb5a9c61c777f0e689c0a4d13d4b9be21ba5a76ba761310652be0b

Download Submit
C:\Windows\{C2D4F104-5214-4c43-A215-14639F44E5B8}.exe

Filesize
91KB

MD5
3140933bb4178b6cdbc35374b3a71f27

SHA1
536a58debb1c168a09d58abb20892f7f2107956a

SHA256
7018fb8bc77bea48a50e1edac4e6f88a2b9c4201e3453d9bbdd1c67612f57e58

SHA512
91af018672213f457861584d93d9900f85719eec45110baac2e587deffa949aff2c22616795aae32437c5cd3f10ec4ac7f218d688580c37c7fb3ef7695665cba

Download Submit
C:\Windows\{E0EBA6D5-C98C-4653-A8D3-C20F02660FEC}.exe

Filesize
91KB

MD5
68692b36cdb7509a842e2ef69e50f67d

SHA1
dd7e398d20cdad46cd5ac8aa8bbaa85651cfcd1e

SHA256
eb4fa75c1ebc532867208a50df1341b4da9491854e44fcc61b4777428ffd272d

SHA512
d81b7667ea66bb2d7ac6ce2c4e48475a94a2cff303e69a35a1e0e3b4b12cf2be0f9a7543bbbead7c3ddf0348cb63c7fb75a13c03487e76647479cb96b274e37e

Download Submit
C:\Windows\{F76C7E82-8717-4ca9-BD73-EFD0A49301D7}.exe

Filesize
91KB

MD5
6cc494706d7b68a5a17324f0a53eec66

SHA1
8d9f274d9e1c8b6bd8e05777b09d86d739a13053

SHA256
17055d4d682d1033bc7d3c8ba833ed8593b13e72746e788cbb6b77ad5ffb4631

SHA512
a89d13cab57abf7d53ba245b6dbf7307ab47aba23bfcfcc37eebf2ba23cadca53f313b3f6846c624f4600fb17d640c72b62852963f97eb2baf071d61ca82a457

Download Submit
memory/544-85-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/544-79-0x0000000000390000-0x00000000003A1000-memory.dmp

Filesize
68KB

Download
memory/1596-1-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1596-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1596-4-0x00000000002E0000-0x00000000002F1000-memory.dmp

Filesize
68KB

Download
memory/1596-9-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2376-49-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2376-52-0x00000000003C0000-0x00000000003D1000-memory.dmp

Filesize
68KB

Download
memory/2376-58-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2412-39-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2412-46-0x00000000002F0000-0x0000000000301000-memory.dmp

Filesize
68KB

Download
memory/2412-48-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2568-28-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2568-22-0x0000000000310000-0x0000000000321000-memory.dmp

Filesize
68KB

Download
memory/2608-29-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2608-38-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2608-32-0x00000000005C0000-0x00000000005D1000-memory.dmp

Filesize
68KB

Download
memory/2640-70-0x0000000000300000-0x0000000000311000-memory.dmp

Filesize
68KB

Download
memory/2640-76-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2752-19-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2752-13-0x0000000000430000-0x0000000000441000-memory.dmp

Filesize
68KB

Download
memory/2752-10-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2960-61-0x0000000001C20000-0x0000000001C31000-memory.dmp

Filesize
68KB

Download
memory/2960-67-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads